Release 4.3.5 - Release Candidate 1 - E2E UX tests - Wazuh Indexer #13994
Assignees
Labels
Comments
vicferpoy
added
type/test
release test/4.3.5
vicferpoy
changed the title
1 task
Environment installation 🟢Each component was installed using the Wazuh indexer[root@ip-172-31-22-1 ec2-user]# bash wazuh-install.sh --generate-config-files
24/06/2022 12:33:06 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
24/06/2022 12:33:06 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/06/2022 12:33:08 INFO: --- Configuration files ---
24/06/2022 12:33:08 INFO: Generating configuration files.
24/06/2022 12:33:09 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# bash wazuh-install.sh --wazuh-indexer wazuh-indexer
24/06/2022 12:33:29 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
24/06/2022 12:33:29 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/06/2022 12:33:35 INFO: Wazuh repository added.
24/06/2022 12:33:35 INFO: --- Wazuh indexer ---
24/06/2022 12:33:35 INFO: Starting Wazuh indexer installation.
24/06/2022 12:34:25 INFO: Wazuh indexer installation finished.
24/06/2022 12:34:25 INFO: Wazuh indexer post-install configuration finished.
24/06/2022 12:34:25 INFO: Starting service wazuh-indexer.
24/06/2022 12:34:39 INFO: wazuh-indexer service started.
24/06/2022 12:34:39 INFO: Initializing Wazuh indexer cluster security settings.
24/06/2022 12:34:41 INFO: Wazuh indexer cluster initialized.
24/06/2022 12:34:41 INFO: Installation finished.
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# bash wazuh-install.sh --start-cluster
27/06/2022 11:41:02 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
27/06/2022 11:41:02 INFO: Verbose logging redirected to /var/log/wazuh-install.log
27/06/2022 11:41:13 INFO: Wazuh indexer cluster security configuration initialized.
27/06/2022 11:41:32 INFO: Wazuh indexer cluster started.Wazuh server[root@ip-172-31-29-132 ec2-user]# bash wazuh-install.sh --wazuh-server wazuh-server
24/06/2022 12:44:53 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
24/06/2022 12:44:53 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/06/2022 12:44:58 INFO: Wazuh repository added.
24/06/2022 12:44:58 INFO: --- Wazuh server ---
24/06/2022 12:44:58 INFO: Starting the Wazuh manager installation.
24/06/2022 12:45:23 INFO: Wazuh manager installation finished.
24/06/2022 12:45:23 INFO: Starting service wazuh-manager.
24/06/2022 12:45:38 INFO: wazuh-manager service started.
24/06/2022 12:45:38 INFO: Starting Filebeat installation.
24/06/2022 12:45:51 INFO: Filebeat installation finished.
24/06/2022 12:45:51 INFO: Filebeat post-install configuration finished.
24/06/2022 12:45:55 INFO: Starting service filebeat.
24/06/2022 12:45:55 INFO: filebeat service started.
24/06/2022 12:45:55 INFO: Installation finished.
[root@ip-172-31-29-132 ec2-user]#
[root@ip-172-31-29-132 ec2-user]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-06-24 12:45:38 UTC; 48s ago
CGroup: /system.slice/wazuh-manager.service
├─1388 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─1431 /var/ossec/bin/wazuh-authd
├─1448 /var/ossec/bin/wazuh-db
├─1460 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─1463 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─1478 /var/ossec/bin/wazuh-execd
├─1493 /var/ossec/bin/wazuh-analysisd
├─1537 /var/ossec/bin/wazuh-syscheckd
├─1553 /var/ossec/bin/wazuh-remoted
├─1586 /var/ossec/bin/wazuh-logcollector
├─1608 /var/ossec/bin/wazuh-monitord
└─1631 /var/ossec/bin/wazuh-modulesd
Jun 24 12:45:29 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-db...
Jun 24 12:45:30 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-execd...
Jun 24 12:45:31 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-analysisd...
Jun 24 12:45:32 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-syscheckd...
Jun 24 12:45:33 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-remoted...
Jun 24 12:45:34 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-logcollector...
Jun 24 12:45:35 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-monitord...
Jun 24 12:45:36 ip-172-31-29-132.ec2.internal env[1332]: Started wazuh-modulesd...
Jun 24 12:45:38 ip-172-31-29-132.ec2.internal env[1332]: Completed.
Jun 24 12:45:38 ip-172-31-29-132.ec2.internal systemd[1]: Started Wazuh manager.
[root@ip-172-31-29-132 ec2-user]# Wazuh dashboard[root@ip-172-31-25-239 ec2-user]# bash wazuh-install.sh --wazuh-dashboard wazuh-dashboard
27/06/2022 11:41:58 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
27/06/2022 11:41:58 INFO: Verbose logging redirected to /var/log/wazuh-install.log
27/06/2022 11:42:03 INFO: Wazuh repository added.
27/06/2022 11:42:03 INFO: --- Wazuh dashboard ----
27/06/2022 11:42:03 INFO: Starting Wazuh dashboard installation.
27/06/2022 11:42:52 INFO: Wazuh dashboard installation finished.
27/06/2022 11:42:52 INFO: Wazuh dashboard post-install configuration finished.
27/06/2022 11:42:56 INFO: Starting service wazuh-dashboard.
27/06/2022 11:42:56 INFO: wazuh-dashboard service started.
27/06/2022 11:42:56 INFO: Initializing Wazuh dashboard web application.
27/06/2022 11:43:07 INFO: Wazuh dashboard web application initialized.
27/06/2022 11:43:07 INFO: --- Summary ---
27/06/2022 11:43:07 INFO: You can access the web interface https://172.31.25.239
User: admin
Password: E?Q?T+tMocVfiEmu4U.bJP7O65KkCvjW
27/06/2022 11:43:07 INFO: Installation finished.
[root@ip-172-31-25-239 ec2-user]#
|
Wazuh indexer package 🟢Package SPECs 🟢I could not identify any issue with the package SPEC. However, I don't have the expertise to assert everything is correct. [root@ip-172-31-22-1 ec2-user]# rpm -qa | grep wazuh
wazuh-indexer-4.3.5-1.x86_64
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# rpm -qi wazuh-indexer-4.3.5-1.x86_64
Name : wazuh-indexer
Version : 4.3.5
Release : 1
Architecture: x86_64
Install Date: Fri 24 Jun 2022 12:34:17 PM UTC
Group : System Environment/Daemons
Size : 644007600
License : GPL
Signature : RSA/SHA256, Thu 23 Jun 2022 06:31:34 PM UTC, Key ID 96b3ee5f29111145
Source RPM : wazuh-indexer-4.3.5-1.src.rpm
Build Date : Thu 23 Jun 2022 06:03:48 PM UTC
Build Host : ip-172-31-69-99.ec2.internal
Relocations : (not relocatable)
Packager : Wazuh, Inc <info@wazuh.com>
Vendor : Wazuh, Inc <info@wazuh.com>
URL : https://www.wazuh.com/
Summary : Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
Description :
Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html
[root@ip-172-31-22-1 ec2-user]#
Package size 🟢Installed size: 614 M Package metadata (description) 🟢Everything seems fine. Package digital signature 🟢The package is signed and verified. [root@ip-172-31-29-132 ec2-user]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH && rpm -Kv /var/cache/yum/x86_64/2/wazuh/packages/wazuh-indexer-4.3.5-1.x86_64.rpm
/var/cache/yum/x86_64/2/wazuh/packages/wazuh-indexer-4.3.5-1.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID 29111145: OK
Header SHA1 digest: OK (1e6bf5746a2081ddb93b9cfd2377f189e1549925)
V3 RSA/SHA256 Signature, key ID 29111145: OK
MD5 digest: OK (6c7718d6dee1950af70cba22125ed370) |
Wazuh indexer installed files location, size and permissions 🟢Everything seems fine but I don't know this component in depth. |
Wazuh indexer installation footprint 🟢No evidence of the Wazuh Dashboard installer breaking the operating system was found. In addition to some manual checks, no files with changed ownership could be found. [root@ip-172-31-22-1 ec2-user]# find /etc -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /usr -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /var -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /bin -user wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /etc -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /usr -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /var -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# find /bin -group wazuh-indexer -not -regex ".*wazuh\-indexer.*" -name "*"
[root@ip-172-31-22-1 ec2-user]# |
Wazuh indexer installed service 🟢The service was correctly installed, enabled and started. [root@ip-172-31-22-1 ec2-user]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-06-27 10:05:15 UTC; 2h 48min ago
Docs: https://documentation.wazuh.com
Main PID: 3123 (java)
CGroup: /system.slice/wazuh-indexer.service
└─3123 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMe...
Jun 27 10:04:55 ip-172-31-22-1.ec2.internal systemd[1]: Starting Wazuh-indexer...
Jun 27 10:05:13 ip-172-31-22-1.ec2.internal systemd-entrypoint[3123]: WARNING: An illegal reflective access operation has occurred
Jun 27 10:05:13 ip-172-31-22-1.ec2.internal systemd-entrypoint[3123]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
Jun 27 10:05:13 ip-172-31-22-1.ec2.internal systemd-entrypoint[3123]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
Jun 27 10:05:13 ip-172-31-22-1.ec2.internal systemd-entrypoint[3123]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Jun 27 10:05:13 ip-172-31-22-1.ec2.internal systemd-entrypoint[3123]: WARNING: All illegal access operations will be denied in a future release
Jun 27 10:05:15 ip-172-31-22-1.ec2.internal systemd[1]: Started Wazuh-indexer.
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# systemctl is-enabled wazuh-indexer
enabled
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# systemctl cat wazuh-indexer.service
# /usr/lib/systemd/system/wazuh-indexer.service
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target
[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer
WorkingDirectory=/usr/share/wazuh-indexer
User=wazuh-indexer
Group=wazuh-indexer
ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet
# StandardOutput is configured to redirect to journalctl since
(...) |
Wazuh indexer logs when installed 🟢No error was reported. [root@ip-172-31-22-1 ec2-user]# cat /var/log/wazuh-install.log
28/06/2022 08:46:21 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
28/06/2022 08:46:21 INFO: Verbose logging redirected to /var/log/wazuh-install.log
28/06/2022 08:46:26 DEBUG: Adding the Wazuh repository.
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-${releasever} - Wazuh
baseurl=https://packages-dev.wazuh.com/pre-release/yum/
protect=1
28/06/2022 08:46:26 INFO: Wazuh repository added.
28/06/2022 08:46:26 INFO: --- Wazuh indexer ---
28/06/2022 08:46:26 INFO: Starting Wazuh indexer installation.
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.3.5-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wazuh-indexer x86_64 4.3.5-1 wazuh 361 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 361 M
Installed size: 614 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : wazuh-indexer-4.3.5-1.x86_64 1/1
Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore
Verifying : wazuh-indexer-4.3.5-1.x86_64 1/1
Installed:
wazuh-indexer.x86_64 0:4.3.5-1
Complete!
28/06/2022 08:47:19 INFO: Wazuh indexer installation finished.
28/06/2022 08:47:19 DEBUG: Configuring Wazuh indexer.
28/06/2022 08:47:19 INFO: Wazuh indexer post-install configuration finished.
28/06/2022 08:47:19 INFO: Starting service wazuh-indexer.
Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.
28/06/2022 08:47:32 INFO: wazuh-indexer service started.
28/06/2022 08:47:32 INFO: Initializing Wazuh indexer cluster security settings.
28/06/2022 08:47:33 DEBUG: Setting Wazuh indexer cluster passwords.
28/06/2022 08:47:35 INFO: Wazuh indexer cluster initialized.
28/06/2022 08:47:35 INFO: Installation finished. |
Wazuh indexer templates and indices created 🟢Created indices[root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_cat/indices?pretty
green open wazuh-monitoring-2022.26w JuXxqandTO6IMQHNSg123Q 1 0 0 0 208b 208b
green open wazuh-alerts-4.x-2022.06.28 BQ6v47PmStSPp1YWbEGpqw 3 0 2 0 37.2kb 37.2kb
green open .kibana_2 1TAZYP4SR56ltaTUXwC7DA 1 0 5 44 46.3kb 46.3kb
green open .kibana_1 P-35U4dnTkqaT3DZtc6gdw 1 0 4 0 31.6kb 31.6kb
green open .opendistro_security hCNfOab7Tf-dQNpkykRYBQ 1 0 9 8 92.7kb 92.7kb
green open wazuh-statistics-2022.26w tKaXPObxQQmrdCa0m26TeA 1 0 2 0 22.7kb 22.7kb
green open .tasks m1fu4u2kToCMtV28q3aPwA 1 0 1 0 6.9kb 6.9kb
[root@ip-172-31-25-239 ec2-user]# Created templates[root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_cat/templates?pretty
wazuh-statistics [wazuh-statistics-*] 0
wazuh [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1
wazuh-agent [wazuh-monitoring-*] 0
[root@ip-172-31-25-239 ec2-user]# |
Wazuh indexer configuration 🟢
|
Wazuh indexer cluster node communication and configuration 🟢ConfigurationToo long output. [root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_nodes?prettyEndpoint response[root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_nodes?pretty
{
"_nodes" : {
"total" : 1,
"successful" : 1,
"failed" : 0
},
"cluster_name" : "wazuh-indexer-cluster",
"nodes" : {
"NyJQGAVJTRGH5e_G4Ckv-Q" : {
"name" : "wazuh-indexer",
"transport_address" : "172.31.22.1:9300",
"host" : "172.31.22.1",
"ip" : "172.31.22.1",
"version" : "1.2.4",
"build_type" : "rpm",
"build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
"total_indexing_buffer" : 205520896,
"roles" : [
"data",
"ingest",
"master",
"remote_cluster_client"
],
"attributes" : {
"shard_indexing_pressure_enabled" : "true"
},
"settings" : {
"cluster" : {
"initial_master_nodes" : "wazuh-indexer",
"name" : "wazuh-indexer-cluster",
"routing" : {
"allocation" : {
"disk" : {
"threshold_enabled" : "false"
}
}
}
},
"node" : {
"pidfile" : "/run/wazuh-indexer/wazuh-indexer.pid",
"data" : "true",
"max_local_storage_nodes" : "3",
"name" : "wazuh-indexer",
"attr" : {
"shard_indexing_pressure_enabled" : "true"
},
"ingest" : "true",
"master" : "true"
},
"path" : {
"data" : [
"/var/lib/wazuh-indexer"
],
"logs" : "/var/log/wazuh-indexer",
"home" : "/usr/share/wazuh-indexer"
},
"client" : {
"type" : "node"
},
"http" : {
"compression" : "false",
"type" : "org.opensearch.security.http.SecurityHttpServerTransport",
"type.default" : "netty4"
},
"transport" : {
"type" : "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
"type.default" : "netty4"
},
"compatibility" : {
"override_main_response_version" : "true"
},
"network" : {
"host" : "172.31.22.1"
}
},
"os" : {
"refresh_interval_in_millis" : 1000,
"name" : "Linux",
"pretty_name" : "Amazon Linux 2",
"arch" : "amd64",
"version" : "5.10.118-111.515.amzn2.x86_64",
"available_processors" : 2,
"allocated_processors" : 2
},
"process" : {
"refresh_interval_in_millis" : 1000,
"id" : 12294,
"mlockall" : false
},
"jvm" : {
"pid" : 12294,
"version" : "15.0.1",
"vm_name" : "OpenJDK 64-Bit Server VM",
"vm_version" : "15.0.1+9",
"vm_vendor" : "AdoptOpenJDK",
"bundled_jdk" : true,
"using_bundled_jdk" : true,
"start_time_in_millis" : 1656407870522,
"mem" : {
"heap_init_in_bytes" : 2055208960,
"heap_max_in_bytes" : 2055208960,
"non_heap_init_in_bytes" : 7667712,
"non_heap_max_in_bytes" : 0,
"direct_max_in_bytes" : 0
},
"gc_collectors" : [
"G1 Young Generation",
"G1 Old Generation"
],
"memory_pools" : [
"CodeHeap 'non-nmethods'",
"Metaspace",
"CodeHeap 'profiled nmethods'",
"Compressed Class Space",
"G1 Eden Space",
"G1 Old Gen",
"G1 Survivor Space",
"CodeHeap 'non-profiled nmethods'"
],
"using_compressed_ordinary_object_pointers" : "true",
"input_arguments" : [
"-Xshare:auto",
"-Dopensearch.networkaddress.cache.ttl=60",
"-Dopensearch.networkaddress.cache.negative.ttl=10",
"-XX:+AlwaysPreTouch",
"-Xss1m",
"-Djava.awt.headless=true",
"-Dfile.encoding=UTF-8",
"-Djna.nosys=true",
"-XX:-OmitStackTraceInFastThrow",
"-XX:+ShowCodeDetailsInExceptionMessages",
"-Dio.netty.noUnsafe=true",
"-Dio.netty.noKeySetOptimization=true",
"-Dio.netty.recycler.maxCapacityPerThread=0",
"-Dio.netty.allocator.numDirectArenas=0",
"-Dlog4j.shutdownHookEnabled=false",
"-Dlog4j2.disable.jmx=true",
"-Djava.locale.providers=SPI,COMPAT",
"-Xms1960m",
"-Xmx1960m",
"-XX:+UseG1GC",
"-XX:G1ReservePercent=25",
"-XX:InitiatingHeapOccupancyPercent=30",
"-Djava.io.tmpdir=/tmp/opensearch-1387981877064118528",
"-XX:+HeapDumpOnOutOfMemoryError",
"-XX:HeapDumpPath=data",
"-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log",
"-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m",
"-XX:MaxDirectMemorySize=1027604480",
"-Dopensearch.path.home=/usr/share/wazuh-indexer",
"-Dopensearch.path.conf=/etc/wazuh-indexer",
"-Dopensearch.distribution.type=rpm",
"-Dopensearch.bundled_jdk=true"
]
},
"thread_pool" : {
"force_merge" : {
"type" : "fixed",
"size" : 1,
"queue_size" : -1
},
"fetch_shard_started" : {
"type" : "scaling",
"core" : 1,
"max" : 4,
"keep_alive" : "5m",
"queue_size" : -1
},
"listener" : {
"type" : "fixed",
"size" : 1,
"queue_size" : -1
},
"training" : {
"type" : "fixed",
"size" : 1,
"queue_size" : 1
},
"sql-worker" : {
"type" : "fixed",
"size" : 2,
"queue_size" : 1000
},
"search" : {
"type" : "fixed_auto_queue_size",
"size" : 4,
"queue_size" : 1000
},
"opensearch_asynchronous_search_generic" : {
"type" : "scaling",
"core" : 1,
"max" : 4,
"keep_alive" : "30m",
"queue_size" : -1
},
"flush" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "5m",
"queue_size" : -1
},
"fetch_shard_store" : {
"type" : "scaling",
"core" : 1,
"max" : 4,
"keep_alive" : "5m",
"queue_size" : -1
},
"get" : {
"type" : "fixed",
"size" : 2,
"queue_size" : 1000
},
"system_read" : {
"type" : "fixed",
"size" : 1,
"queue_size" : 2000
},
"open_distro_job_scheduler" : {
"type" : "fixed",
"size" : 2,
"queue_size" : 200
},
"write" : {
"type" : "fixed",
"size" : 2,
"queue_size" : 10000
},
"replication_follower" : {
"type" : "scaling",
"core" : 1,
"max" : 10,
"keep_alive" : "1m",
"queue_size" : -1
},
"refresh" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "5m",
"queue_size" : -1
},
"replication_leader" : {
"type" : "fixed",
"size" : 4,
"queue_size" : 1000
},
"system_write" : {
"type" : "fixed",
"size" : 1,
"queue_size" : 1000
},
"generic" : {
"type" : "scaling",
"core" : 4,
"max" : 128,
"keep_alive" : "30s",
"queue_size" : -1
},
"warmer" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "5m",
"queue_size" : -1
},
"management" : {
"type" : "scaling",
"core" : 1,
"max" : 5,
"keep_alive" : "5m",
"queue_size" : -1
},
"analyze" : {
"type" : "fixed",
"size" : 1,
"queue_size" : 16
},
"ad-threadpool" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "10m",
"queue_size" : -1
},
"snapshot" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "5m",
"queue_size" : -1
},
"search_throttled" : {
"type" : "fixed_auto_queue_size",
"size" : 1,
"queue_size" : 100
},
"ad-batch-task-threadpool" : {
"type" : "scaling",
"core" : 1,
"max" : 1,
"keep_alive" : "10m",
"queue_size" : -1
}
},
"transport" : {
"bound_address" : [
"172.31.22.1:9300"
],
"publish_address" : "172.31.22.1:9300",
"profiles" : { }
},
"http" : {
"bound_address" : [
"172.31.22.1:9200"
],
"publish_address" : "172.31.22.1:9200",
"max_content_length_in_bytes" : 104857600
},
"plugins" : [
{
"name" : "opensearch-alerting",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Amazon OpenSearch alerting plugin",
"classname" : "org.opensearch.alerting.AlertingPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"lang-painless"
],
"has_native_controller" : false
},
{
"name" : "opensearch-anomaly-detection",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch anomaly detector plugin",
"classname" : "org.opensearch.ad.AnomalyDetectorPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"lang-painless",
"opensearch-job-scheduler"
],
"has_native_controller" : false
},
{
"name" : "opensearch-asynchronous-search",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Provides support for asynchronous search",
"classname" : "org.opensearch.search.asynchronous.plugin.AsynchronousSearchPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-cross-cluster-replication",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch Cross Cluster Replication Plugin",
"classname" : "org.opensearch.replication.ReplicationPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-index-management",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch Index Management Plugin",
"classname" : "org.opensearch.indexmanagement.IndexManagementPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"opensearch-job-scheduler"
],
"has_native_controller" : false
},
{
"name" : "opensearch-job-scheduler",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch Job Scheduler plugin",
"classname" : "org.opensearch.jobscheduler.JobSchedulerPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-knn",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch k-NN plugin",
"classname" : "org.opensearch.knn.plugin.KNNPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"lang-painless"
],
"has_native_controller" : false
},
{
"name" : "opensearch-observability",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch Plugin for OpenSearch Dashboards Observability",
"classname" : "org.opensearch.observability.ObservabilityPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-performance-analyzer",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch Performance Analyzer Plugin",
"classname" : "org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-reports-scheduler",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Scheduler for Dashboards Reports Plugin",
"classname" : "org.opensearch.reportsscheduler.ReportsSchedulerPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"opensearch-job-scheduler"
],
"has_native_controller" : false
},
{
"name" : "opensearch-security",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Provide access control related features for OpenSearch 1.0.0",
"classname" : "org.opensearch.security.OpenSearchSecurityPlugin",
"custom_foldername" : null,
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-sql",
"version" : "1.2.4.0",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "OpenSearch SQL",
"classname" : "org.opensearch.sql.plugin.SQLPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
}
],
"modules" : [
{
"name" : "aggs-matrix-stats",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Adds aggregations whose input are a list of numeric fields and output includes a matrix.",
"classname" : "org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "analysis-common",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Adds \"built in\" analyzers to OpenSearch.",
"classname" : "org.opensearch.analysis.common.CommonAnalysisPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"lang-painless"
],
"has_native_controller" : false
},
{
"name" : "geo",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Placeholder plugin for geospatial features in OpenSearch. only registers geo_shape field mapper for now",
"classname" : "org.opensearch.geo.GeoPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "ingest-common",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Module for ingest processors that do not require additional security permissions or have large dependencies and resources",
"classname" : "org.opensearch.ingest.common.IngestCommonPlugin",
"custom_foldername" : "",
"extended_plugins" : [
"lang-painless"
],
"has_native_controller" : false
},
{
"name" : "ingest-geoip",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Ingest processor that uses looksup geo data based on ip adresses using the Maxmind geo database",
"classname" : "org.opensearch.ingest.geoip.IngestGeoIpPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "ingest-user-agent",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Ingest processor that extracts information from a user agent",
"classname" : "org.opensearch.ingest.useragent.IngestUserAgentPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "lang-expression",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Lucene expressions integration for OpenSearch",
"classname" : "org.opensearch.script.expression.ExpressionPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "lang-mustache",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Mustache scripting integration for OpenSearch",
"classname" : "org.opensearch.script.mustache.MustachePlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "lang-painless",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "An easy, safe and fast scripting language for OpenSearch",
"classname" : "org.opensearch.painless.PainlessPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "mapper-extras",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Adds advanced field mappers",
"classname" : "org.opensearch.index.mapper.MapperExtrasPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "opensearch-dashboards",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Plugin exposing APIs for OpenSearch Dashboards system indices",
"classname" : "org.opensearch.dashboards.OpenSearchDashboardsPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "parent-join",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "This module adds the support parent-child queries and aggregations",
"classname" : "org.opensearch.join.ParentJoinPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "percolator",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Percolator module adds capability to index queries and query these queries by specifying documents",
"classname" : "org.opensearch.percolator.PercolatorPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "rank-eval",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "The Rank Eval module adds APIs to evaluate ranking quality.",
"classname" : "org.opensearch.index.rankeval.RankEvalPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "reindex",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "The Reindex module adds APIs to reindex from one index to another or update documents in place.",
"classname" : "org.opensearch.index.reindex.ReindexPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "repository-url",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Module for URL repository",
"classname" : "org.opensearch.plugin.repository.url.URLRepositoryPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "systemd",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Integrates OpenSearch with systemd",
"classname" : "org.opensearch.systemd.SystemdPlugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
},
{
"name" : "transport-netty4",
"version" : "1.2.4",
"opensearch_version" : "1.2.4",
"java_version" : "1.8",
"description" : "Netty 4 based transport implementation",
"classname" : "org.opensearch.transport.Netty4Plugin",
"custom_foldername" : "",
"extended_plugins" : [ ],
"has_native_controller" : false
}
],
"ingest" : {
"processors" : [
{
"type" : "append"
},
{
"type" : "bytes"
},
{
"type" : "convert"
},
{
"type" : "csv"
},
{
"type" : "date"
},
{
"type" : "date_index_name"
},
{
"type" : "dissect"
},
{
"type" : "dot_expander"
},
{
"type" : "drop"
},
{
"type" : "fail"
},
{
"type" : "foreach"
},
{
"type" : "geoip"
},
{
"type" : "grok"
},
{
"type" : "gsub"
},
{
"type" : "html_strip"
},
{
"type" : "join"
},
{
"type" : "json"
},
{
"type" : "kv"
},
{
"type" : "lowercase"
},
{
"type" : "pipeline"
},
{
"type" : "remove"
},
{
"type" : "rename"
},
{
"type" : "script"
},
{
"type" : "set"
},
{
"type" : "sort"
},
{
"type" : "split"
},
{
"type" : "trim"
},
{
"type" : "uppercase"
},
{
"type" : "urldecode"
},
{
"type" : "user_agent"
}
]
},
"aggregations" : {
"adjacency_matrix" : {
"types" : [
"other"
]
},
"auto_date_histogram" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"avg" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"cardinality" : {
"types" : [
"boolean",
"bytes",
"date",
"geopoint",
"ip",
"numeric",
"range"
]
},
"children" : {
"types" : [
"other"
]
},
"composite" : {
"types" : [
"other"
]
},
"date_histogram" : {
"types" : [
"boolean",
"date",
"numeric",
"range"
]
},
"date_range" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"diversified_sampler" : {
"types" : [
"boolean",
"bytes",
"date",
"numeric"
]
},
"extended_stats" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"filter" : {
"types" : [
"other"
]
},
"filters" : {
"types" : [
"other"
]
},
"geo_bounds" : {
"types" : [
"geopoint"
]
},
"geo_centroid" : {
"types" : [
"geopoint"
]
},
"geo_distance" : {
"types" : [
"geopoint"
]
},
"geohash_grid" : {
"types" : [
"geopoint"
]
},
"geotile_grid" : {
"types" : [
"geopoint"
]
},
"global" : {
"types" : [
"other"
]
},
"histogram" : {
"types" : [
"boolean",
"date",
"numeric",
"range"
]
},
"ip_range" : {
"types" : [
"ip"
]
},
"matrix_stats" : {
"types" : [
"other"
]
},
"max" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"median_absolute_deviation" : {
"types" : [
"numeric"
]
},
"min" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"missing" : {
"types" : [
"boolean",
"bytes",
"date",
"geopoint",
"ip",
"numeric",
"range"
]
},
"nested" : {
"types" : [
"other"
]
},
"parent" : {
"types" : [
"other"
]
},
"percentile_ranks" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"percentiles" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"range" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"rare_terms" : {
"types" : [
"boolean",
"bytes",
"date",
"ip",
"numeric"
]
},
"reverse_nested" : {
"types" : [
"other"
]
},
"sampler" : {
"types" : [
"other"
]
},
"scripted_metric" : {
"types" : [
"other"
]
},
"significant_terms" : {
"types" : [
"boolean",
"bytes",
"date",
"ip",
"numeric"
]
},
"significant_text" : {
"types" : [
"other"
]
},
"stats" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"sum" : {
"types" : [
"boolean",
"date",
"numeric"
]
},
"terms" : {
"types" : [
"boolean",
"bytes",
"date",
"ip",
"numeric"
]
},
"top_hits" : {
"types" : [
"other"
]
},
"value_count" : {
"types" : [
"boolean",
"bytes",
"date",
"geopoint",
"ip",
"numeric",
"range"
]
},
"variable_width_histogram" : {
"types" : [
"numeric"
]
},
"weighted_avg" : {
"types" : [
"numeric"
]
}
}
}
}
}
Nodes state[root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_cluster/state/nodes?pretty
{
"cluster_name" : "wazuh-indexer-cluster",
"cluster_uuid" : "0Z_24yHDRy6FYO4Rn7PZHQ",
"nodes" : {
"NyJQGAVJTRGH5e_G4Ckv-Q" : {
"name" : "wazuh-indexer",
"ephemeral_id" : "IXNELY-zRBqSKaVBQRrWqg",
"transport_address" : "172.31.22.1:9300",
"attributes" : {
"shard_indexing_pressure_enabled" : "true"
}
}
}
} |
Wazuh indexer cluster status 🟢[root@ip-172-31-25-239 ec2-user]# curl -u admin:${PASSWORD} -k https://172.31.22.1:9200/_cluster/health?pretty
{
"cluster_name" : "wazuh-indexer-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"active_primary_shards" : 9,
"active_shards" : 9,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
} |
Wazuh indexer packages uninstallation procedure 🟢[root@ip-172-31-22-1 ec2-user]# bash wazuh-install.sh -u
28/06/2022 10:52:45 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.5
28/06/2022 10:52:45 INFO: Verbose logging redirected to /var/log/wazuh-install.log
28/06/2022 10:52:47 INFO: Wazuh manager not found in the system so it was not uninstalled.
28/06/2022 10:52:47 INFO: Filebeat not found in the system so it was not uninstalled.
28/06/2022 10:52:47 INFO: Wazuh dashboard not found in the system so it was not uninstalled.
28/06/2022 10:52:47 INFO: Removing Wazuh indexer.
28/06/2022 10:52:49 INFO: Wazuh indexer removed.
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# systemctl status wazuh-indexer
Unit wazuh-indexer.service could not be found.
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]#
[root@ip-172-31-22-1 ec2-user]# rpm -qa | grep wazuh
[root@ip-172-31-22-1 ec2-user]#
|
User experience 🟡Everything worked correctly without any issue. The procedure felt smooth and easy to follow (using the documentation). However, doing some manual testing I encountered what could be an annoying situation:
A low quality screen capture of this issue can be checked: Screenshare.-.2022-06-28.1_24_59.PM.mp4 |
This was referenced Sep 7, 2023
This was referenced Feb 26, 2024
This was referenced Mar 12, 2024
This was referenced Apr 8, 2024
This was referenced Apr 22, 2024
This was referenced May 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.
Test information
Environment
Test description
Best effort to test Wazuh indexer package. Think critically and at least review/test:
Test report procedure
All test results must have one of the following statuses:
Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.
An extended report of the test results must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.
Conclusions
All tests have been executed and the results can be found here.
All tests have passed and the fails have been reported or justified. Therefore, I conclude that this issue is finished and OK for this release candidate.
Auditors validation
The definition of done for this one is the validation of the conclusions and the test results from all auditors.
All checks from below must be accepted in order to close this issue.
The text was updated successfully, but these errors were encountered: